Skip to main content
Skyhigh Security

Authentication Server (Time/IP Based Session with OTP and Pledge) Rule Set

The Authentication Server (Time/IP Based Session with OTP and Pledge) rule set is a library rule set for authenticating users through one-time passwords that are provided by a Skyhigh Security Pledge device.

Library rule set - Authentication Server (Time/IP Based Session with OTP and Pledge)

Criteria – Always

Cycle – Requests (and IM)

The following rule sets are nested in this rule set:

  • Check for Valid Authentication Session
  • Authentication Server

Check for Valid Authentication Session

This nested rule redirects a user's request sent from a client to the authentication server if the user has not yet been successfully authenticated on that server.

Nested library rule set - Check for Authentication Session

Criteria – Authentication.IsServerRequest equals false AND

(Connection.Protocol equals "HTTP" OR

Connection.Protocol equals "SSL" OR

Connection.Protocol equals "HTTPS" OR

Connection.Protocol equals "IFP")

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies if the request that is currently processed is not requesting a connection to the authentication server and the protocol used in this communication is one of the four that are specified.

The rule set contains the following rules:

Fix hostname

Command.Name equals "CERTVERIFY" AND SSL.Server.Certificate.CN.HasWildcards equals false –> Continue – Set URL.Host = SSL.Server.Certificate.CN

The rule uses an event to set the host name that is submitted with the URL of a request to a particular value, which is required when communication is going on under the SSL protocol. This value is the common name of the certificate that is provided in this communication.

The rule applies if the request that is processed contains the CERTVERIFY command and no wildcards are allowed for the common name.

Redirect clients that do not have a valid session to the authentication server

Authentication.Authenticate<IP Authentication Server> equals false AND Command.Name does not equal "CONNECT" –> Authenticate<Default>

The rule uses the Authentication.Authenticate property to check whether the user who sends a request is successfully authenticated at the user database of the authentication server. For this purpose, the IP address of the client that the request was sent from is evaluated.

The Command.Name property is used to check whether the request is a connection request in SSL-secured communication.

If neither is the case, the user is asked to submit credentials for authentication. This action is executed with the specified settings.

Revalidate session under ideal conditions

Authentication.CacheRemainingTime less than 400 AND

Connection.Protocol equals "HTTP" AND

Command.Name equals "GET"

–> Authenticate<Default>

Under particular conditions (which could be termed "ideal"), a user is asked to authenticate again after sending a request to ensure the current web session is prolonged before the time quota has elapsed completely.

This is done if communication is going on under the HTTP protocol and the request contains the GET command.

The rule is not enabled by default.

Authentication Server

This nested rule set forwards a request for web access by a user who submitted a valid one-time password that was retrieved from a Skyhigh Security Pledge device.

A user who did not submit a valid one-time password is asked to authenticate. Authentication is first performed using information from the user database of the authentication server.

A successfully authenticated user is then informed that web access also requires a one-time password from a Skyhigh Security Pledge device.

Nested library rule set - Authentication Server 

Criteria – Authentication.IsServerRequest equals true

Cycle – Requests (and IM)

 

The rule set criteria specifies that the rule set applies when a user who sent a request must be authenticated using information from an authentication server.

The rule set contains the following rules:

Authenticate user against user database

Authentication.Authenticate<User Database at Authentication Server> equals false –> Authenticate<Default>

The rule uses the Authentication.Authenticate property to check whether a user who sent a request and submitted an invalid one-time password could be successfully authenticated at the user database on the authentication server.

If this is not the case, the user is asked to authenticate.

Show block template

URL.GetParameter(pledgeOTP) equals " " –> Block<Authentication.Server OTP with PledgeOTP>

The rule uses the URL.GetParameter property to check whether a one-time password from a Skyhigh Security Pledge device was sent as a parameter of the URL in a request.

If the parameter is empty, the request is blocked and the user is informed that authentication using a one-time password from a Skyhigh Security Pledge device is also required for web access.

Retrieve OTP context

Always –> Continue – Authentication.SendOTP<OTP>

The rule uses an event to send context information on the one-time password authentication process to an authenticated user.

This way the information is retrieved that is required to validate a one-time password on a Skyhigh Security OTP server.

Redirect back if we have a valid OTP

Authentication.Authenticate<OTP> equals true –> Redirect<Redirect Back from Authentication Server>

The rule uses the Authentication.Authenticate property to check whether a user who submitted a one-time password with a request for web access could be successfully authenticated.

If this is the case, web access is allowed and the user is redirected from the authentication server to the requested web object.

Stop after providing an invalid OTP

Authentication.Failed equals true –> Block<Authorized Only>

The rule uses the Authentication.Failed property to check whether a user who submitted a one-time password with a request for web access could not be successfully authenticated.

If this is the case, the request is blocked and a message informs the user about the blocking and the block reason.

  • Was this article helpful?